Comment 11 for bug 959842

On Fri, Mar 30, 2012 at 05:01:56PM -0000, Daniel Dadap wrote:
> Examination of the exploit code helped us to identify the driver
> vulnerability that it attacks, and we're testing some driver changes
> right now and to ensure that they'll be able to block this attack;
> however, we haven't yet actually gotten the exploit to successfully find
> the payload, when compiled exactly as written.
>
> We are able to find the payload if we remove the hardcoded offsets to
> pmem and instead loop over the mapped memory, but for completeness, we
> want to be able to reproduce with the code exactly it was provided: for
> reference, what kind of system was this exploit originally developed
> for, running which kernel version, etc?
>
> (An nvidia-bug-report.log file will capture other details we may be
> interested in, so if one can be provided, that would be helpful.)

I think the individual wishes to remain anonymous, however he passed
along some additional comments about this:

"""
oh it seems to be a bit picky, sometimes the kernel won't align
right. The real problem already happens when you can succesfully map it.
I just tried to identify the zero page of the linux kernel.
Compare with a copy from /dev/mem. That's all my code is doing, showing
that /dev/nvidia0 was a world read/writable version of /dev/mem :-)
"""

> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/959842
>
> Title:
> root escalation via /dev/nvidia0
>
> Status in “nvidia-graphics-drivers” package in Ubuntu:
> Triaged
>
> Bug description:
> It was raised to me just now that there is a security issue with
> /dev/nvidia0 where an unprivileged account can access kernel memory
> and gain root access. An example exploit is attached.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/nvidia-graphics-drivers/+bug/959842/+subscriptions